Search

How can we help?

Privacy and Data Protection

International transfers

 

Political and legal developments mean that the rules underpinning international transfers of personal data are constantly evolving. Our data protection team ensure that our clients are able to carry out global data transfers and data sharing arrangements in full compliance with current laws and regulatory guidance.

What is an international transfer?

There is no legal definition for this. However, the UK General Data Protection Regulation (UK GDPR) and other UK data protection laws  specify mandatory requirements for any “restricted transfer” to be carried out legally.

Restricted transfers are those where:

  • The UK GDPR applies to the processing of personal data to be transferred.
  • The personal data is being sent to (or will be accessible to) a party to whom the UK GDPR does not apply.
  • The receiving party is a separate organisation or individual legally distinct from the transferor.

How can personal data be transferred internationally?

If the transfer is a restricted transfer, the data can still be transferred but organisations have to consider the relevant requirements under the UK GDPR.

Where the recipient is in a country in receipt of an ‘adequacy decision’ (for example, one in the EEA), meaning it’s been judged to have an adequate level of protection, transfer is relatively straightforward.

Failing this, organisations can still transfer personal data, provided the recipient has adequate safeguards in place (as set out in the UK GDPR) and on condition that any individual to whom the personal data relates has enforceable rights and effective legal remedies available to them.

If there’s no adequacy decision or adequate safeguards then a transfer can only be made in very limited further circumstances set out in the UK GDPR.

What are adequate safeguards?

There’s a list of adequate safeguards in the UK GDPR but common ones relied upon include binding corporate rules (i.e. agreements governing transfers between companies in a group) and standard data protection clauses.

There are generally now two types of approved standard clauses, these being:

  • For transfers of data from both the UK and EEA – standard clauses approved by the EU with a UK Information Commissioner’s Office (ICO) addendum attached.
  • For transfers of data from the UK only – the ICO’s International Data Transfer Agreement (IDTA).

In addition, the ICO advises organisations that are making restricted transfers from the UK, to conduct a Transfer Risk Assessment before they enter into an IDTA and establish any necessary measures to ensure data is adequately protected.

Why You Need a Solicitor

The rules on international data transfers are complex and constantly changing.  Our team of experts can help you:

  • Identify if there is a restricted transfer
  • Consider whether the transfer of personal data is permitted under the UK GDPR
  • Draft and advise on contractual documentation including IDTAs
  • Assist you in conducting the required Transfer Risk Assessment

Contact Our Expert Data Protection Solicitors

If you need any assistance with international transfers, please contact our data protection team who will be happy to help.

Contact us

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – International transfers

This refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity located in another country, i.e. such data being accessible from overseas.

The UK GDPR contains rules on the transfer of personal data to outside the UK, where these rules apply to all transfers, no matter the size of the transfer or how often you carry them out.

Yes, you can provided you have the correct arrangements in place. Transfers from the UK to the EEA do not require any new arrangements, however transfers (known as ‘restricted transfers’) to ‘third countries’, will require additional safeguards.

This will depend on a case-by-case basis, however before making a restricted transfer, you should consider if the personal data needs to be sent, and whether any personal data could be anonymised so that it is not possible to identify individuals.

Broadly, the following questions should be considered under the UK GDPR before a restricted transfer is made:

  • Is the restricted transfer covered by ‘adequacy regulations’?
  • Is the restricted transfer covered by appropriate safeguards?
  • Is the restricted transfer covered by an exception?

Related services

Artificial Intelligence

Audits

Data breaches

Privacy documentation

Subject access requests

Key contacts
Ashan Arif

Partner

View profile

+44 118 960 4651
Louise Keenan

Associate

View profile

+44 118 960 4614

Read, listen and watch our latest insights

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.
art
  • 04 June 2025
  • Privacy and Data Protection

Decrypting the ICO’s Draft Updated Guidance On Encryption

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur.
art
  • 27 May 2025
  • Privacy and Data Protection

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.

See More

Our related expertise

IP and Commercial

Providing guidance on contracts and agreements across all sectors, to minimise risk and maximise profitability.

Find out more

forburyTech

From brainstorm to market, provides concise, clear, and jargon free advice for start-up and small businesses in tech.

Find out more

Contact Ashan

+44 118 958 5321